interceptor for JSP pages

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

interceptor for JSP pages

Venkat Ravuri
I tried to implement security Interceptor by implementing Interceptor interface. It works well for the action beans , just fine.
Now how do I make sure my JSP go through that interceptor, if I directly access them.

Lets say I want to access  localhost/myapp/app.jsp directly, I want my interceptor to kick-in between and reject direct access to this page.
I want to make sure user don't access the JSP directly. How do I do it?. 


<filter-mapping>
        <filter-name>StripesFilter</filter-name>
        <url-pattern>*.jsp</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

<init-param>
            <param-name>ActionResolver.Packages</param-name>
            <param-value>com.myapp.Registration,/WEB-INF/classes</param-value>
            <!-- <param-value>com.myapp.Registration,/WEB-INF/classes</param-value>-->
        </init-param>
        



I have already configured Stripes Filter and have action beans configured for these JSP pages, even then my interceptor doesn't kick-in. 

How do I address this issue?.

Thanks,
Venkat

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: interceptor for JSP pages

Marcus Kraßmann-2
Hello Venkat,

The usual way of protecting JSPs from direct access is to place them in a folder under /WEB-INF. This way, only ForwardResolutions can access them.

If you need a finer security management, you could use a custom security tag. A good example exists in the Stripes wiki:
http://www.stripesframework.org/display/stripes/Security+Interceptor+for+custom+authorization

Kind regards,
Marcus


Am 12.02.2013 00:49, schrieb Venkat Ravuri:
I tried to implement security Interceptor by implementing Interceptor interface. It works well for the action beans , just fine.
Now how do I make sure my JSP go through that interceptor, if I directly access them.

Lets say I want to access  localhost/myapp/app.jsp directly, I want my interceptor to kick-in between and reject direct access to this page.
I want to make sure user don't access the JSP directly. How do I do it?. 


<filter-mapping>
        <filter-name>StripesFilter</filter-name>
        <url-pattern>*.jsp</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

<init-param>
            <param-name>ActionResolver.Packages</param-name>
            <param-value>com.myapp.Registration,/WEB-INF/classes</param-value>
            <!-- <param-value>com.myapp.Registration,/WEB-INF/classes</param-value>-->
        </init-param>
        



I have already configured Stripes Filter and have action beans configured for these JSP pages, even then my interceptor doesn't kick-in. 

How do I address this issue?.

Thanks,
Venkat


------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb


_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users


------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: interceptor for JSP pages

Poitras Christian

Hi,

 

Maybe the Interceptors are not run for JSPs because it’s not an ActionBean instance. I guess most lifecycle stages are skipped because they simply don’t make sense.

In such a case, you may have better luck using the RequestInit and RequestComplete lifecycle stages.

 

Christian

 

De : Marcus Kraßmann [mailto:[hidden email]]
Envoyé : February-12-13 12:06 AM
À : Stripes Users List
Objet : Re: [Stripes-users] interceptor for JSP pages

 

Hello Venkat,

The usual way of protecting JSPs from direct access is to place them in a folder under /WEB-INF. This way, only ForwardResolutions can access them.

If you need a finer security management, you could use a custom security tag. A good example exists in the Stripes wiki:
<a href="http://www.stripesframework.org/display/stripes/Security&#43;Interceptor&#43;for&#43;custom&#43;authorization">http://www.stripesframework.org/display/stripes/Security+Interceptor+for+custom+authorization

Kind regards,
Marcus


Am 12.02.2013 00:49, schrieb Venkat Ravuri:

I tried to implement security Interceptor by implementing Interceptor interface. It works well for the action beans , just fine.

Now how do I make sure my JSP go through that interceptor, if I directly access them.

 

Lets say I want to access  localhost/myapp/app.jsp directly, I want my interceptor to kick-in between and reject direct access to this page.

I want to make sure user don't access the JSP directly. How do I do it?. 

 

 

<filter-mapping>

        <filter-name>StripesFilter</filter-name>

        <url-pattern>*.jsp</url-pattern>

        <dispatcher>REQUEST</dispatcher>

    </filter-mapping>

 

<init-param>

            <param-name>ActionResolver.Packages</param-name>

            <param-value>com.myapp.Registration,/WEB-INF/classes</param-value>

            <!-- <param-value>com.myapp.Registration,/WEB-INF/classes</param-value>-->

        </init-param>

        

 

 

 

I have already configured Stripes Filter and have action beans configured for these JSP pages, even then my interceptor doesn't kick-in. 

 

How do I address this issue?.

 

Thanks,

Venkat




------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb




_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users

 


------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users